Installing EFS and EBS CSI drivers on AWS

Procedure

  1. For Cloud Pak foundational services on EKS, make sure that you install EBS as a storage class.
    1. Install IAM for EBS and then use the console to install EBS as an add-on. Make sure to edit the --cluster, --name, and --role-name fields.
      export cluster_name=gi-eks # Choose your EKS cluster_name that you have created
      
      oidc_id=$(aws eks describe-cluster --name $cluster_name --region=${region} --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5)
      eksctl utils associate-iam-oidc-provider --cluster $cluster_name --approve
      export cluster_name=gi-eks # Choose your EKS cluster_name that you have created
      export ebs_role_name=AmazonEKS_EBS_CSI_DriverRole_XXXX # Make sure the role_name is unique, e.g. AmazonEKS_EBS_CSI_DriverRole_Reza
      export region=us-east-2 # Make sure that you choose the right region where you cluster is created
      echo "IMPORTANT: Please make sure that you will use a unique `role_name` as it may cause conflict with pre-existing rolenames in your aws account."
      
      eksctl create iamserviceaccount \
          --name ebs-csi-controller-sa \
          --namespace kube-system \
          --cluster ${cluster_name} \
          --region ${region} \
          --role-name ${ebs_role_name} \
          --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \
          --approve
    2. Locate your AWS account ID by using this command (see here for more information):
      export awsID=346824953529 # Make sure to update your awsID accordingly
      eksctl create addon --name aws-ebs-csi-driver --cluster ${cluster_name} --region=${region} --service-account-role-arn arn:aws:iam::${awsID}:role/${ebs_role_name} --force

      Replace

      • my-cluster with the name of your cluster
      • 346824953529 with your account ID
      • AmazonEKS_EBS_CSI_DriverRole with the name of the IAM role created earlier
      • If your cluster is in the AWS GovCloud (US-East) or AWS GovCloud (US-West) AWS regions, then replace arn:aws: with arn:aws-us-gov:
    3. To confirm that the EBS driver is installed, run this command:
      eksctl get addon --name aws-ebs-csi-driver --cluster ${cluster_name} --region=${region}
      
      2024-06-28 09:39:41 [ℹ]  Kubernetes version "1.30" in use by cluster "gi-test"
      2024-06-28 09:39:42 [ℹ]  to see issues for an addon run `eksctl get addon --name <addon-name> --cluster <cluster-name>`
      NAME			VERSION			STATUS		ISSUES	IAMROLE								UPDATE AVAILABLE	CONFIGURATION VALUES
      aws-ebs-csi-driver	v1.31.0-eksbuild.1	Active	1	arn:aws:iam::346824953529:role/AmazonEKS_EBS_CSI_DriverRole-t				
      Issue: {Code:InsufficientNumberOfReplicas Message:The add-on is unhealthy because it doesn't have the desired number of replicas. ResourceIDs:[]}

      See https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html for more information.

  2. For Guardium® Insights, make sure that you have both EBS and EFS storage classes on Amazon EKS.
    1. Install the EFS driver on AWS:
      export cluster_name=gi-eks # Choose your EKS cluster_name that you have created
      export efs_role_name=AmazonEKS_EFS_CSI_DriverRole_XXXX # Make sure the role_name is unique, e.g. AmazonEKS_EFS_CSI_DriverRole_Reza
      export region=us-east-2 # Make sure that you choose the right region where you cluster is created
      
      eksctl create iamserviceaccount \
          --name efs-csi-controller-sa \
          --namespace kube-system \
          --cluster ${cluster_name} \
          --region=${region} \
          --role-name ${efs_role_name} \
          --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy \
          --approve
    2. Locate your AWS account ID by using this command (see here for more information):
      export awsID=346824953529 # Make sure to update your awsID accordingly
      eksctl create addon --name aws-ebs-csi-driver --cluster ${cluster_name} --region=${region} --service-account-role-arn arn:aws:iam::${awsID}:role/${ebs_role_name} --force

      Replace

      • my-cluster with the name of your cluster
      • 346824953529 with your account ID
      • AmazonEKS_EBS_CSI_DriverRole with the name of the IAM role created earlier
      • If your cluster is in the AWS GovCloud (US-East) or AWS GovCloud (US-West) AWS regions, then replace arn:aws: with arn:aws-us-gov:
    3. To confirm that the EFS driver is installed, run this command:
      eksctl get addon --name aws-efs-csi-driver --cluster ${cluster_name}
      
      2024-06-28 09:41:15 [ℹ]  Kubernetes version "1.30" in use by cluster "gi-test"
      2024-06-28 09:41:16 [ℹ]  to see issues for an addon run `eksctl get addon --name <addon-name> --cluster <cluster-name>`
      NAME			VERSION			STATUS		ISSUES	IAMROLE								UPDATE AVAILABLE	CONFIGURATION VALUES
      aws-efs-csi-driver	v2.0.4-eksbuild.1	Active	1	arn:aws:iam::346824953529:role/AmazonEKS_EFS_CSI_DriverRole-new				
      Issue: {Code:InsufficientNumberOfReplicas Message:The add-on is unhealthy because it doesn't have the desired number of replicas. ResourceIDs:[]}

      See https://docs.aws.amazon.com/eks/latest/userguide/efs-csi.html for more information.